What to Expect
To help you better understand a computer forensic investigation, the basic process is outlined below:
1. Acquisition – The first step in a computer forensic case is to copy the original evidence. This is a scientific process where the data is copied exactly as it is on the original. Digital copies are often allowable as evidence, because the process includes a check and balance procedure to ensure that no data has been altered.
2. Indexing – Following successful acquisition, the data is indexed. Indexing gives the examiner a preliminary overview of what the hard drive contains and organizes the data for a streamlined analysis. The files are categorized and some of the deleted files are recovered during this process. The categories include: e-mail, documents, spreadsheets, internet files, pictures and deleted items.
3. Analysis – After the index is completed, the data is ready to be analyzed. A forensic analysis of the data includes the “what, where and when” of the data. For example, if an e-mail is recovered, the email can be analyzed to attempt to find who sent it, the date it was sent and its current status on the computer (deleted, filed away, saved in the inbox). Several tools are available for the examiner to help locate certain items for the case. Keyword searches are the fastest way to locate items of importance. Keywords are any search terms such as names, credit card numbers, email addresses, etc.., that the examiner can use to locate data quickly. We allow our examinations to be dictated by the client for a fast, focused examination. In some cases, our clients have visited our lab to help the examiner identify data that may be of import to their case.
4. Reporting – The last step is to report the findings of the analysis conducted. Most reports are in hard copy, however due to some large amounts of data, reports can be produced on a compact disc. Reports are very detailed but easy to read so anyone can understand them.
Large amounts of data reside on hard drives, so the more specific you are with your requests, the more efficient a forensic examination can be. If you are wondering what relationships one individual may have shared with another, we can analyze communications to see if a relationship existed. If you are looking for a particular memorandum, keyword searches can be used to locate that specific document. After any document or information is located, analysis will be conducted to determine the origin, modifications, dates/times or transmissions. The scope of our investigation is dictated by clients to avoid analyzing superfluous information.
Call 440.546.7545 or e-mail inquiries@ddforensicsgroup.com for further inquiries or to schedule a meeting. All inquiries are kept strictly confidential.